I’m automating the setup of a LEMP stack (Ubuntu 16.04.1, NginX, MariaDB and PHP7) and using letsencrypt for cert issuing. I’ve written a bash file that sets up the server perfectly, installs letsencrypt and issues a cert. The way I’m running the bash file is by git cloning it to a directory, lets say:~/temp/setup_server_script

Then, I’m running the script from there and letting it do it’s thing:# cd ~/temp/setup_server_script# sudo ./script.sh

The part in that script that takes care of installing letsencrypt is:# apt-get -qq install -y letsencrypt > logs/stdout.txt 2>&1Note - I’m trying to do this as automated and quietly as possible…

And the part in the script that installs the cert is:# letsencrypt certonly -a webroot --webroot-path=/var/www/html --agree-tos --email example@example.com -d example.com

The problem that I’m having is with renewals. There’s only one domain/cert per server so I’m just running

So I checkout the conf file in question:cat /etc/letsencrypt/renewal/example.com.conf

And I realise that the fullchain_path, cert_path, and chain_path values are all incorrect and are pointing to the directory in which I initiated the bash script to run from:fullchain_path = /root/temp/setup_server_script/chain.pemcert_path = /root/temp/setup_server_script/cert.pemchain_path = /root/temp/setup_server_script/chain.pem

Obviously this is not correct as the .pem files are in:/etc/letsencrypt/live/example.com

My questions are:Is this the best (or at least a good) way to automate letsencrypt via shell script?If so, how can I make sure the renewal .conf file has the correct paths for fullchain_path, cert_path, and chain_path?Is there a better way to renew or something I’m missing that will fix this?

This is where I’m at so far, but ultimately I’d like to automate the setup of automatic cert renewals by adding some commands to the shell script that will in turn add a line or two to the crontab. Just need to figure out what renewal commands I can add to get this working properly!

As I cannot see your bash script I would just suggest making it run from the correct folder in future so it does not do this in future. To fix it now simply edit the .conf file in the /renewal/ folder and put in the correct locations.

I wonder if I can write the letsencrypt commands into a second bash script, then make the original bash script copy over the second script to the correct directory and initiate the script to run. I’ll do some testing and see if that works

So am I right in thinking that any certonly command (inside or outside a bash script) such as:letsencrypt certonly -a webroot --webroot-path=/var/www/html --agree-tos --email example@example.com -d example.com

Should be run from /etc/letsencrypt/ and can not be run from any other directory or else the renewal config will be incorrect? I feel like I’m missing something. Maybe this only applies when running the commands from a bash script?

This should not happen this way. Do you think you could share the whole script with us in case there are any other indications for something that could have caused this?

What version of letsencrypt do you have as a result of installing it from the package manager? Would you be willing to try certbot-auto to get a (maybe much) more up-to-date client outside of your package manager?

Just had a check and I can see that my letsencrypt version is 0.4.1, which was installed using the Ubuntu 16.04 package manager.

Bear in mind that this was my first project with bash scripting and was intended to be a learning process.(In other words, don’t judge my messy code too harshly - there’s still a hell of a lot for me to learn!)

The parts of my script that relate in any way to letsencrypt are:

Firstly, I collect some vars from the script user and call some other .sh files depending on the users choice to setup the server for http or https:

I would start out first by using the latest certbot script, that one in the repo is way too old, certbot is currently at 0.10.1.
I run my command lines from /opt/certbot where I have the certbot-auto script, it automatically places certs and renewal.conf files in the correct locations with the correct folder locations in those conf files.

In my experience, letsencrypt 0.4.1 really does set those renewal configuration settings relative to the current directory, but it doesn’t break renewal. cert, privkey, chain and fullchain are set correctly, too. Only cert_path, chain_path and fullchain_path are wrong, and they’re probably ignored.